safety paper - please send feedback!

[William Cohen]

The "G5. No procedures" is a rather severe restriction. Depending on how 
you count the runtime libraries it can't be enforced.
It would be better to generate a static call graph of the function calls 
and verify there are no cycles. This will allow some factoring of code 
rather than having to inline everything. In most cases can live without 
recursive functions.

dynamic allocation could be done but only in the intial loading of the 
module and there must be checks to verify that it is successful. The 
probes themselves cannot do dynamic allocation.

G15.  "prefer mechanism that are intuitive to a programmer of
relatively ordinary skill." Lots of programmers of ordinary skill are
going to get things wrong.  There is a need to make it provable
to people, but there are lots of simple solutions that don't work in
the general case.  Theory and validation are still needed.

Definitely need to have a specification of the systemtap input language 
written that is concise.

-Will